This Wireguard tutorial is for beginners, and therefore before proceeding make sure you have working reset button and have backed up you configuration (so you can reset your router and restore configuration if you stuck somewhere).
This guide will show you the basics of creating tunnel from your Android/iOS device to dd-wrt unit in a secure way.

WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache.
It intends to be considerably more performant than OpenVPN.

Starting from February 2019 and courtesy of BrainSlayer (Sebastian Gottschall, lead dd-wrt developer), a client config can be imported to Android/iOS in a very simple way using QR Code.
No more complicated key generation, copy-paste and other headaches. The advantage of this approach is that there is no need to transfer sensitive information via data channels that can potentially be compromised
and there is no need of any other supplementary software besides a WireGuard app (Android/iOS) and DD-WRT GUI.

The QR Code is a two-dimensional version of the barcode, known from product packaging in the supermarket.
Originally developed for process optimization in the logistics of the automotive industry, the QR Code has found its way into mobile marketing with the widespread adoption of smartphones.
"QR" stands for "Quick Response", which refers to the instant access to the information hidden in the Code.
QR Codes are gaining popularity because the technology is "open source", i.e. available for everyone.
Significant advantages of QR Codes over conventional barcodes are larger data capacity and high fault tolerance.

First, enable the tunnel on the DD-WRT EOP Tunnel page (http://your_router_ip/eop-tunnel.asp).
From the Protocol Type drop-down menu, choose WireGuard. Generate Key and enter IP Address (this will be oet1 interface ip and must be out of your local lan range, on a separate network.
E.g. if your router LAN IP is 192.168.2.1, for an IP address of oet1 put 10.10.0.1.

The disadvantage of Wireguard is that you cannot bridge anything. You always have to forward and do nat. No other way!
So, head to Networking.asp and unbridge oet1 interface and enable Masquerade / NAT. Apply. This way, you'll have internet on other side of your tunnel.

Start your WireGuard app. In lower right corner press "+" and select "Create from QR code", scan QO-Code within DD-WRT GUI (peer section).
After transferring config file from dd-wrt you will be prompted to name your tunnel.
Go to whats is my ip to check you public IP.
AndroidApple iOS (iOS 12.0 or later)

You can use console or Pamac. It's your choice:)
I prefer Gtk3. Go to the eop-tunnel.asp of you router,
and use flameshot to select area of qrcode and grab screenshot.
Save it but remember location and name of png file.
Open qtqr and add png file (choose Decode from file).
You will be prompted with decoded txt config file.
Use it to populate wireguard client side config in network manager.

After importing configs from ddwrt to Android/iOS app you can edit peer section (tap on pencil in upper right corner) - Endpoint.
Enter something like this Endpoint = my.ddns.address.com:51820. This way you will be able to access your router even after reboot and changing IP.

You cannot use allowed ips of 0.0.0.0/0 for both peer. This causes a collision. What works is setting of 10.10.0.2/32 and 10.10.0.3/32.
The allowed ip's feature is for crypto routing. The key is valid for the allowed ip space. So, one single key is valid for the whole space.

First of all you need to enable "Local DNS" and disable "No DNS Rebind" options on DNSMasq section of Services.asp site.
Then, on eop-tunnel.asp site for Peer Tunnel DNS field enter your router/local DNS ip (e.g. 192.168.1.1). Repeat it for every peer.
As we mentioned before wireguard cannot be bridged. So you need to specify the wireguard interface or local ip of the interface in dnsmasq as additional binding interface / listener (interface=oet1). There is also a nvram var "dnsmasq_addif" which allows you to specify custom additional interfaces (nvram set dnsmasq_addif=oet1). But, the easiest way is to simply add a dhcp interface at networking.asp (bottom of the page). Since the client is not requesting any ip nothing special will happen. Dhcp is present and reachable, but unused.

This is required. Represent IP addresses that this peer is allowed to use inside the tunnel. Usually the peer's tunnel IP addresses and the networks the peer routes through tunnel. Outgoing packets will be sent to the peer whose AllowedIPs contain the destination address (If there are multiple matches, the one with the longest matching prefix is chosen). Incoming packets are only accepted if traffic to their source IP would be sent to the same peer. May be specified multiple times.

A base64 preshared key generated by wg genpsk. Optional, and may be omitted. This option adds an additional layer of symmetric-key cryptography to be mixed into the already existing public-key cryptography, for post-quantum resistance.